What Is A SIEM Solution? Can It Prevent Cyber Attacks? Do You Need It?
I can’t tell you the number of times someone has asked me what they should do after a cyber breach. At that point, their organization is in crisis mode. While certain actions can minimize the effect of a breach after the fact, effective preparation before a breach happens is always the best defense.
If you own a business or work in IT, you may have heard of security information and event management (SIEM) solutions. If you aren’t an IT expert, you might have no idea what the term means or how it can help prevent cyber attacks.
I’ve been working as a cybersecurity professional for nearly two decades. I understand that not everybody follows cybersecurity as closely as I do. In this article, I’ll explain what a SIEM solution is, what it does, how it can help prevent cyber attacks, and why most organizations today need one.
Let’s start at the beginning.
What Is A SIEM Solution?
A SIEM (pronounced “seam”) solution is an IT tool that combines security information management and security event management capability in one source. The term, initially introduced in 2005 by Mark Nicolett and Amnit Williams, is now widely used by IT experts around the world.
What Benefits Does A SIEM Solution Provide?
Think of an effective SIEM for cybersecurity like the traditional physical security operations room in your favorite action movie.
1. Centralized Monitoring and Analysis
Whether you prefer James Bond, Jason Bourne, or another protagonist, many action movies feature at least one scene in which a security guard tracks the location and activity of people via a bank of monitors. The security guard looks for suspicious activities as defined by the (government or criminal) organization.
In the same way, quality SIEM products collect event logs for individual systems and network devices (such as switches, routers, and firewalls) in one centralized location for monitoring and analysis. This provides IT security analysts with a comprehensive, centralized dashboard to track and review activity.
For example, a system running low on memory may or may not indicate that the system has been compromised. A good SIEM will, at a minimum, provide enough data so that a security analyst can use it to try to determine what’s happening. Really powerful SIEMs will do at least some of that analysis automatically with varying degrees of accuracy.
2. Specialized Services
SIEMs can focus on different aspects of your network. Some are designed specifically for threat detection and response. These SIEMs can correlate events from different kinds of data sources. For example, it may be able to associate unusual activity on a router with an unusual login or file access on a computer.
That correlation is a great way to help automate the visualization of what can happen during an attack or breach as it’s happening.
Some SIEMs don’t just take in the native logs on systems (like Windows security logs, event logs on switches, and firewalls), but also those generated by security-oriented applications. For example, a SIEM may be able to ingest, parse, and analyze logs produced by your anti-virus software or other security products. If an incident occurs, the log helps you figure out how the incident happened, the most effective incident response, and what can be done to prevent similar incidents in the future.
A SIEM also can generate reports that track contractual compliance metrics and they can even be used for large-scale Security Operations Centers.
Some SIEM solutions, when effectively set up and monitored, meet the requirements of select NIST 800-171 controls, such as the Audit and Accountability family of controls. This is particularly important for SMBs who often struggle with meeting these requirements.
Are There Different SIEM Options?
There are many different types of SIEM solutions available. When it comes to SIEM, one size definitely does not fit all, and every company doesn’t need a top-of-the-line solution. An experienced managed services provider (MSP) with security knowledge and experience can help figure out the best solution for you based on your organization’s size, budget, security risk, and other factors.
What Are The Challenges OF A SIEM Solution?
SIEMs provide a great number of benefits, but they present challenges, too.
To be effective, SIEM products need to be configured to generate the appropriate alerts for any given organization. Many of them are designed to flag too many things, and the end result is that analysts will spend too much time sorting through all the “noise” and potentially miss the most important events.
Each organization needs to decide what things should pop up on the dashboard for cybersecurity professionals to look at as well as what issues need to be flagged for further general security investigation.
SIEM software can be expensive. And, the cost can go beyond just the purchase and licensing costs involved. Complex, powerful SIEM solutions may require the purchase of new hardware to provide adequate responsiveness and storage capabilities.
Another hidden cost that many people don’t think about is how much it will cost to manage the solution yourself.
- How much will you pay in labor fees to learn the product and configure it?
- How long will it take to understand the rules you want to establish about monitoring and alerting?
There will be a learning curve.
Make sure to take into account the costs, but realize that the benefits far outweigh the cost. And, keep in mind that there are some very high-quality, publicly accessible open-source products available.
Who Needs A SIEM Solution?
Any business with an enterprise network larger than an average home network (or more than a couple of employees using more than two computers) needs a SIEM solution.
In today’s ever-changing IT landscape, there are just too many devices and logs to effectively monitor manually.
Can My IT Staff Handle SIEM Solution Selection And Customization?
Bigger organizations with a large on-site IT and cybersecurity staff may have the skills and time to think proactively and customize the SIEM solution. The reality, though, is that many organizations don’t have the budget to support a full complement of IT professionals.
Small- to medium-sized businesses (SMBs) often have a very small or nonexistent IT staff. The degree of intensity of monitoring and customizing alerts that need a response (based on an organization’s size and risk) varies greatly from one company to another. The customization process could be a deal-breaker for a small IT staff.
If the SIEM solution is not fine-tuned to pick up on just the things you care about, the level of data collected will be overwhelming, limiting its effectiveness. When SIEMs are effectively configured, they provide vital information about activities/incidents to help determine what happened and what needs to be done to mitigate the situation and prevent future recurrence.
Wondering If An IT MSP Can Help Craft The Right SIEM Solution For Your Business?
Now you know what a SIEM is, what it does, the benefits and challenges to expect, who needs one, and whether or not your staff is up to the task.
Looking to find out more about SIEM, cybersecurity, or any other IT subject? An MSP can help. This article, What Does An MSP Do?, provides a comprehensive overview of the services MSPs provide.
If you want a cost-effective way to reap the benefits of an IT team that has the experience and the skills to manage all or part of your IT infrastructure and craft the perfect solution for your business, an MSP might be the right solution for you.
Your ability to meet customer needs and keep information safe is critical to the reputation and ultimate success of your business; don’t leave it to chance.